Slow Going in Utility Cybersecurity
THE GRAINY VIDEO of a diesel-electric generator smoking and seizing up offered a chilling visual to illustrate a growing security concern for utilities: the vulnerability of supervisory control and data acquisition (SCADA) systems to cyberattack. Taken in March 2007 at the federal government’s Idaho National Laboratory (INL) and leaked to the media later that year, the video demonstrated government hackers successfully exploiting what they call the “Aurora” vulnerability.
The exact nature of Aurora is unknown to the public, designated by the government for-official-use-only (FOUO). Yet the handling of the vulnerability by both government and industry has led to questions in both sectors about the speed and effectiveness with which they share information about threats and vulnerabilities and take steps to address them.
The Department of Homeland Security (DHS) approached some utility sector leaders about Aurora as early as February 2007. The next month, DHS shared the information with the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection Committee, according to congressional testimony by Barry Lawson, manager of power delivery for the National Rural Electric Cooperative Association, who was then a member of the NERC committee, which he now chairs.
NERC, an industry self-regulatory body, doubles as the Electricity Sector Information Sharing and Analysis Center (ESISAC). DHS recommends that each of the 18 critical infrastructure sectors maintain an ISAC as an information-sharing hub. Yet Lawson testified that DHS prohibited him and fellow committee members from discussing the Aurora vulnerability with membership at large.
A NERC official told Security Management that “we thought that if it was that important, we should be able to share the information with people in the industry who had a need to know.” It was not until three months later, in June 2007, that DHS and sector experts completed an FOUO technical advisory about Aurora and distributed it to power operators via NERC.
DHS spokesperson Amy Kudwa says the government did not rush to share information about the vulnerability because doing so might have led to the creation of a threat where one did not exist.
The incident revealed that NERC had no system for alerting members to threats and vulnerabilities. Only after the Aurora vulnerability arose did NERC devise a sector-wide advisory system and compile a contact list for the roughly 1,800 owners, operators, and users of the bulk power system, according to testimony of NERC President and CEO Richard Sergel.
The new advisory construct provides for three types of advisories: alerts, which are generally informational; recommendations for action; and immediate actions.
Although cyberthreats and corresponding vulnerabilities can emerge quickly and change by the day or even the second, security advisories issued by NERC require approval, by vote, of NERC’s executive board. NERC must then give its government overseer, the Federal Energy Regulatory Commission (FERC), five business days’ notice before it issues an advisory. After an “immediate action” advisory is issued, operators have 30 days to report back on what action they have taken.
Separately, last year FERC approved a set of sector-wide cybersecurity reliability standards drafted by NERC, covering issues including asset identification, controls, training, incident reporting, and recovery. While the standards carry heavy fines for noncompliance, they too illustrate the speed of regulation relative to cyberthreats: the standards took three years to draft and will not be fully enforceable until December 2010.
Due to the slow pace and other inadequacies of the current regimen and spurred by Aurora, FERC has asked Congress for expanded legal authority to go around NERC and issue “orders” and “directives” that would mandate faster operator activity, with penalties for failure to comply, until NERC can complete permanent standards to address problems. Lawmakers considered the matter last year, but did not act, leaving the issue to this year’s new Congress.
Hackers, regardless of motive, are not waiting. Last year, the CIA disclosed that hackers had successfully shut down the electrical grids of at least three foreign cities to extort payoffs.
NERC has created a new chief security officer position and tapped former INL official Michael Assante for the job.
U.S. utility sector officials, meanwhile, expressed confidence that both the government and operators are sharing threat and vulnerability information in real time and acting to protect systems.
Todd Nicholson, chief marketing officer of SCADA security vendor Industrial Defender, says the electric industry “has been proactive in fixing known vulnerabilities.”
The NERC official says, “There doesn’t have to be an order from FERC or a standard from NERC to protect the bulk power system. The operators do it now, every hour, every day, every minute, and they’re going to continue to do it whether it’s a physical security issue or a cybersecurity issue.”